Enabling data at rest encryption

Use the Enable data at rest encryption wizard to enable encryption. The wizard opens when you enable data at rest encryption for the first time.

Before you begin

Enabling data at rest encryption requires a user with the storage administrator role and a user with the security administrator role. See Managing secure user accounts.

A recovery key restores access to encrypted data if the key servers are unavailable. The security administrator must create the recovery key (see Initiating a recovery key). The storage administrator uses the Enable Encryption wizard to authorize the recovery key.

Ensure that at least two key servers are online, accessible, and synchronized. If you are using an IBM® Security Guardium Key Lifecycle Manager key server, ensure that the key labels are available.

To enable encryption on a storage system using TKLM or SKLM, you must upgrade to one of the following versions of TKLM or SKLM that has the Gen2 CA root installed:
  • TKLM version 2.0.1 or later on Open Systems
  • SKLM (all versions) on Open Systems
  • SKLM version 1.1.0.2 or later on z/OS

Procedure

  1. Log on to the storage system with the storage administrator role.
  2. Click Settings > Security. On the Security page, select Data at rest Encryption.
  3. Click Enable Encryption to open the Enable data at rest encryption wizard.
  4. On the Key Server Type page of the encryption wizard, select the key server type.
  5. On the Key Servers page, enter the host names of the key servers where the encryption keys are located. Specify from 2 to 4 key servers.
  6. For IBM Security Guardium Key Lifecycle Manager key servers, define a key label. See Defining key labels.
  7. If you are using Transport Layer Security (TLS), use the Key Server Certificates page to transfer the key server communication certificates from the key server to the storage system.
  8. On the DS8000 Encryption Communication Certificate page, export the encryption certificate for the storage system. For more information about managing encryption certificates, see Updating encryption certificates.
  9. The actions on the Recovery Key page depend on the state of the recovery key:
    1. If the recovery key was configured and verified by the security administrator, confirm authorization of the recovery key.
    2. If the recovery key was disabled by the security administrator, confirm disablement of the recovery key.
    3. If the security administrator did not configure or disable the recovery key, finish the wizard and contact the security administrator. Your settings are saved and you can return to the wizard after the security administrator configures or disables the recovery key.
  10. Click Finish to enable data at rest encryption.